Azure security expert series: Cloud security with Ann Johnson

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
>> Hi, everyone. Welcome to the Azure Security Expert Series. I'm Ann Johnson, and I lead Microsoft's Cybersecurity Solutions Group. As part of my job, I'm able to meet security teams from virtually every industry doing amazing work to protect their organizations. Today, we're launching the Azure Security Expert Series because your work is business-critical. We want to do everything we can to equip and empower every security team out there with the latest security information for Azure, including tools and best practices. We also want to make this content accesible to anyone online. Now I've been around the security industry for about 20 years. I have to say though, I'm amazed at how quickly cyber crime has evolved in just the past few years. It's getting even harder than ever to keep up with the pace and the scale of cyber attacks. There are more connected devices, more apps, and even more endpoints which means a broader digital estate and more attack vectors for cyber criminals to exploit. Cyber threats are not only increasing but they are becoming much more sophisticated. We are seeing a growing number of nation-state actors and an increase in sophisticated cyber gangs. That said, I've learned that for every security issue that makes headlines, there are countless untold stories; stories of hardworking teams who show up every single day to combat cyber threats. Yet there is also a massive shortage of trained cybersecurity talent. In fact, the talent gap is growing with three million cybersecurity jobs opening in the next two years. So it's critical that we recruit, that we train, and that we retain more cybersecurity experts to use modern tools to protect today's heterogeneous environments. It's also important that we attract diverse talent because our teams need to be as diverse as the problems we are trying to solve. Studies in fact show us that diverse teams make better decisions about 87 percent of the time, and yet today, women make up about 10 percent of the cybersecurity industry. Now Microsoft has launched several initiatives to address diversity in our industry. Through our partnership with the Security Advisor Alliance, we have created a full-day Capture the Flag event that is designed for students in 7th through 12th grades. With these events, our goal is to reach two million students in economically disadvantaged areas. We're also planning to create 20,000 internships and increasing the number of women and minorities in security roles. In addition, to date, we've seen more than 4,000 registrations for our Microsoft-certified program for cybersecurity. We've also partnered with BlackHoodie to deliver a reverse engineering workshop for women at our annual BlueHat Conference, and we've even extended our efforts to Africa with training for women in Nairobi as part of the She Hacks Africa boot camps. We want to encouge you to create diversity initiatives within your own organizations. We also recognize that many of you work extremely hard and you may feel out numbered by bad actors, so it's incredibly important that you take care of your own health and your own well-being. In today's episode, we're going to discuss five best practices to strengthen your security posture on Azure and safeguard your businesses in this rapidly evolving landscape. We also have launched the set of companion videos for those of you who want to dive deeper into specific topics. If you have any questions, please use the chat window. We have Microsoft security experts online to answer your questions throughout this session and up to about an hour afterwards. So why is Microsoft doing this series? Because helping our customers with cybersecurity is a top priority for us. We invest over a billion dollars a year and have hired more than 3,500 security professionals so we can deliver the best, most trusted security solutions and services. Even some of our largest customers in the world who significantly invest resources in cybersecurity, don't come close to matching this level of resourcing or financial investment. The investments we make are designed to help teams like yours scale your ability to defend against bad actors and so you can focus on what's truly important. We take a robust holistic approach to offering you security across your operations, across our best-in-class technology, and with our strategic global partnerships. When it comes to operations, we have some of the world's best physical security and global Cloud infrastructure with over 100 data centers across the planet. Our operational controls include perimeter security, roaming patrols, background checks, video surveillance, verified single-person entry, and much more. We even inspect the BIOS and firmware from our vendors for security issues and we do this on a regular basis. We bring the power of all of our threat intelligence collected from Office 365, Azure, and Xbox to protect your workloads. Our Cloud infrastructure also as built-in protections from denial of service and we constantly monitor and mitigate threats through our cyberdefense operation center. When access is required to Azure infrastructure, we use just-in-time and just-enough access principles. We also lead the industry in offering payments, things known as bug bounties, to secure the researchers who reside outside of Microsoft so they can find vulnerabilities and notify the Microsoft Security Response Center. We believe strong operational practices create the foundation for customer trust and customer success. Our security technologies, built on Microsoft Azure, are designed to combat the most complex and the most insidious cyber threats out there. We take a shared responsibility model that gives our customers the ownership and control you want whilst empowering you with built-in security controls to keep your assets secure. We will discuss these technologies in much more depth later. But finally, our security strategy is bolstered with the power of partnerships. With ever evolving security threats and industry needs, we know Microsoft solutions are at their best when we tap our global community of partners. A great example of this partnership is the Microsoft Intelligent Security Association which brings together some of the world's most innovative security companies and gives our customers the choice and expertise they are looking for. Later in this episode, we'll hear from one of those partners, Check Point. Next up, we are going to dig into the five Cloud security best practices to help to keep your organization secure. But first take a look at this. [MUSIC] >> So now, let's talk about the five Cloud security best practices. To help us do this, we have Hayden Hainsworth, who leads our Azure Security Customer Experience team. Hayden and her team work every day with our top customers, so they know which best practices are the most effective. Hayden, thank you so much for joining us today. >> Thanks, and I'm delighted to be here. >> So Hayden, as our customers consider Cloud security, what do you actually offer as best practices? >> Well, Cloud security is a fundamental new landscape to begin with, and while many of the security principles remain the same as on-premises, the implementation is often very different. So it's important that you assume breach as a mindset and understand that the perimeter has changed significantly. So given that, a new paradigm is needed, and how you think about access controls and network security fundamentally needs to change. While there has been a lot of heavy lifting that has been done by the Cloud provider, in this case, us on your behalf, you still have a role to play it, and we call that a shared responsibility. So it means, the way you work needs to change. So let's go ahead and dive in and explore some of the best practices in some key areas. We'll talk about identity and access control, security posture management, apps and data security, threat protection, and my favorite, network security. It's a mouthful and there's a lot to learn. >> Yeah, you're right. There is a lot to learn. So let's break it down into simpler concepts for our customers. Let's start with identity and access control. >> Now our first best practice is to strengthen access control. Think of it as your front door, because frankly, while a firewall was necessary t Why? Due to the proliferation of the Cloud mobile devices and the Internet of things. It's very difficult given the proliferation of devices really to operate in this mindset that everything is contained neatly behind your classic firewall, and so we need to operate in a zero-trust model. Now what do I mean by that? It means trust no one or anything, so a machine, a human, a resource, or a thing. Identity becomes the new perimeter. So you need to verify the identity of everything and anything that's trying to authenticate or connect to your systems before granting access. >> So given all of that and given the concept of identity as the new perimeter and zero trust networking, what is a really good first step? >> The very first step, Ann, is to turn on Multi-Factor Authentication or MFA. This significantly will reduce your chance of identity spoofing. Three years ago, Microsoft was on a gradual roll-out of MFA across our company. Yet, another Fortune 100 company was compromised. It was significant, it hit the press, it was a really big deal. It was a wake-up call, quite frankly, and so we rapidly accelerated our own deployment of MFA. But even today, three years later, it's really disappointing that not every enterprise costumer has MFA turned on, and so in 2019, it really is a must-do. >> Yeah, MFA obviously is a must, I mean, we're on a mission to move our customers away from passwords, right? Because people tend to use weak passwords. They will use their dog name, or they'll reuse the same password in every website. >> Yes, they do, Ann. It's critical that we move away from passwords to password-less. But also one of the recommendations I have is to remind people not to put their passwords in places like OneNote, or OneDrive, or SharePoint, or Box, or Dropbox. It's very easy for an adversary, unfortunately, to get a foothold and then to discover those passwords and use those to authenticate against another machine, laterally move across the network, escalate privileges, and achieve domain dominance. So our recommendation is to move beyond passwords altogether and take advantage of the power of biometrics, so fingerprints, facial recognition. It's so much simpler, it increases the users' productivity, and it enhances their security significantly. >> So now that we've talked about passwords, we've talked about eliminating them using MFA, using Windows Hello for Business, or other biometric controls. How do we think about users and access control? >> So we recommend taking advantage of what we call conditional access. Now, conditional access is going to give users access to only the resources that they need while inspecting for potential sign and risks, such as logging in from a suspicious or unknown location, or potentially whether that device is missing multi-factor authentication. Now, a best practice additionally is to give least privilege access or the lowest amount of access to the lowest number of necessary users, and we call this least privilege. It was really, really hard to do on-premises, but in Azure, it just makes it so much easier to set up. Finally, we have a concept called JIT access, just-in-time access, using Azure Privileged Identity Management or PIM. Now with PIM, you can require approval prior to granting access, and more importantly, you can audit the access history. Now finally, I recommend using Azure's RBAC or role-based access control at their actual resource level. These will then enable you to assign one of Azure's many built-in roles or create your own custom role for a specific set of resources. >> So what I'm hearing is identity is critical, obviously, access control is important, and our customers are always asking for simplified security controls in the Cloud that are more automated, and it sounds like Azure's bringing those controls to them. >> Exactly. Now that's why we recommend that we assume breach and that you create a zero-trust model, implement MFA, and assign that appropriate access control. >> Thanks, Hayden. There's a lot of things for our customers to consider there. But talk to me about the one question I get from almost every customer. How do we protect access to the customer's data within the Azure tenant? >> So that's a very good question, Ann, and we get this all the time as well. It's super important to understand that we respect customer's privacy, we take this accountability very seriously. It's important to understand that your data is your data, our engineers have no access to your data. Even if something bad happens to your environment, we don't have access to your data. Now, of course, there are cases where you may choose to ask us to help you, and in that case, we've engineered a solution that we call Customer Lockbox. It's generally available, and it allows our support engineers to get access you granted, of course, so that we can help isolate and troubleshoot that particular machine for you, and it also provides a complete audit history as well. >> So it's exciting to note that Lockbox is generally available today. >> Yes. >> We get to announce something, not just talk. Anyway. >>This further demonstrates our commitment to customer privacy, our commitment to customer security, and making sure that our customers have this simplified tools that you need for Azure Security. So now let's talk about something different. Let's shift. Let's talk about how customers can increase their security posture. I mean you can't do posture management well without getting visibility into your assets, into your environment. So can you talk a little bit about how Azure handles inventory and access to that inventory. >> Absolutely. So with Azure, asset inventory is really quite simple. Now you go to the portal, and you'll see a list of all of your resources. It's a really big improvement from asset management on-premises, which quite frankly was manual, cumbersome, and an error-prone process. >> Then how do you improve the security based on having the visibility to those assets in Azure? >> So the first thing first is to turn on Azure Security Center, and check out your Secure Score rating. The Secure Score is this intuitive concept with a very clean UI with the numerical value, and that Secure Score is going to give you a number that shows you, at a glance, how secure you are, and what your security posture management is in Azure. It will also then provides you with the list of the top recommendations to go remediate with the highest level of impact first, so that you can greatly increase your Secure Score. >> Do you find that sometimes customers aren't actually turning on Secure Score Azure Security Center for all of their times? They only turn on maybe when security is involved. >> Yes, and it's a problem. So the first action is that they actually do need to turn on Azure Security Center. So you need to enable it, it's not on by default. Secondarily, what we find is that oftentimes, a particular subscription owner will be aware to turn on Azure Security Center, and in other cases, they may be unaware. So it's really super important that for every subscription in an environment that they enable Azure Security Center. >> Okay. What roles typically are going to use Azure Security Center within a customer? >> For the most part, I think of it as a Seesaw potentially or the security admin would use Azure Security Center, and sometimes SecOps will use Security Center. Now, we do have dashboard recommendations for all of your resources, I forgot to mention that, an that extends beyond just your virtual machines, to networking, storage, SQL, your app services, and of course, IoT now as well. >> So speaking of virtual machines, right? Big concern for everyone. What is one of the most common attack vectors we see? >> Yeah. One of the most common attack vectors is open Internet, exposed endpoints. So adversaries are going to brute force passwords over SSH and RDP. Now, it's critical important vector to lock down, and we understand that teams need to be able to manage their environments. So there is a time when they need to open an RDP port. But leverage the power of Cloud and automation to harden that environment and use JIT VM access to close those Internet ports. With JIT VM access, you can open IPs for a specific duration and for specific ports, and so it greatly will decrease that attack vector by having open Internet exposed endpoints. >> Excellent. So that's kind of how we protect our virtual machines or at least one way to protect our virtual machine from brute-force hacking. What are other ways we could protect resources like IoT, which all customers are concerned about today? >> Rightly so, right? That is a huge vector that's quite difficult to contain. Getting that right is really important, and we know that the world is shifting, and so we've got smart light bulbs, and we've got smart cars, and smart cities now. There was a story about a casino that has state of the art security that unfortunately was compromised due to a thermometer that was sitting in that fish tank. >> Rogue fish. >> I know. It was connected to the Internet. So Azure Security Center can assess your security posture and look for those IoT devices, so that you can ensure they're running the latest patches or take the compromise devices offline. Now one of the challenges with IoT is that not every device actually meets today's security needs. Some of them, quite frankly, aren't patchable. So we have a solution for that, that we've introduced called Azure Sphere. Now it's a modern secure micro-controller with a secure operating system that connects to Azure, and then it represents a generational leap forward in IoT security. It's phenomenal. >> So we see a lot of interest in IoT, a fundamental belief the Cloud is the only way to implement and scale that type of security to protect the proliferation of IoT devices we've seen. To summarize where we are right now, because we're covering a lot of content, Azure Security Center is the most mature Security Center of any public Cloud. If you're a security admin, if you're a subscription owner, you'd actually need to understand your Secure Score and how to improve it, and you need to turn on, as Hayden said, Azure Security Center. One of the challenges that we find our security admins face every day is they're fighting fires, right? They're not doing anything proactive to secure their environments. They're being reactive, they're responding to a lot of noise and a lot of signal. So talked to me a little bit about how security admins can spend more time being proactive and less time fighting fires. >> It's true, absolutely. So one area that will help you get out of reactive or a firefighter mode is if you can collaborate with your DevOps teams up front on key security policies. So that way, you can apply the policies at the beginning of the engineering cycle as secure DevOps rather than DevSecOps, and it's something that we call shift left. Now implementing shift left is quite difficult and challenging on-prem, because you don't have a consistent management plane. But in Azure, we have ARM which is a game changer. >> What exactly is ARM? >> Thank you. Sometimes I overuse acronyms. So ARM stands for the Azure Resource Manager, and it's a consistent management plane for Azure, and every resource in Azure can have a policy applied to it. >> Can you give me an example what of type of policies that you'd apply via ARM? >> Absolutely. So an example policy would be ensuring that there are no public facing IP addresses or Internet exposed endpoints, ensuring that Azure Security Center is enabled or that your discs are encrypted. There's literally thousands of policies that you can configure in Azure. We've seen our customers like British Petroleum create groups of security policies for different users. In BP's case, they have three classes of users, and these classes have three different groups of security policies based on only what that business group needs. So the security team will work with the DevOps team to adjust specific policies over time. Once again, you want to give the appropriate access to the specific role so that they have just what they need, not too much and not too little. It's like the Goldilocks of access. >> Speaking of BP, let's hear directly from them. It's really exciting to hear what BP is doing with Azure. But when we talk about policies, can customers ensure that the policies are adhere to before a project is implemented or do they only implement them afterwards? >> That's a good question. So what is exciting is that you can check policies before a project is actually deployed. So your DevOps teams can embed run time checks against security policy that you define directly in the release pipeline itself. So what that means then is that code is not released until it meets your requirements, which is a huge win from a compliance perspective. You can even create subscriptions in Azure for your DevOps teams where they have everything that they need upfront, which includes those important security policies, the resources, and the roles that need access in just a few clicks, and we call this a blueprint. >> Can you define a blueprint just a little bit more? >> Absolutely. I'm so glad you asked because blueprints are amazing, and they're relatively new. So the concept is that it can be really cumbersome for a Cloud architects and very large enterprise customers to be able to stamp out, if you will, consistent templates. We have a concept of template, but the blueprint is an uber level on top of that, that helps ensure standardization. I think of it like a blueprint for your house. If you have a blueprint for your house, any contractor that comes to work on your house can follow the map, follow the blueprint, to ensure that they're building your house to code. So in essence, there's a similar concept here with Azure that any application developer that wants the dock into the overarching Cloud architecture for an enterprise customer can follow that blueprint, and they have what they need in order to be able to scale out those services, and do so in an accelerated way. >> That's great heading, because one of the things our customers consistently tell us is they want simpler Cloud controls for security, and this sounds like it really simplifies the replication of different policies. >> Correct. >> Perfect. So the other thing Azure does is it opens the door to a new level of governance and strategic collaboration between those DevOps teams and security teams. This is obviously important in today's business environment where regulatory compliance is critical and regulations are increasing every day. So in Azure, can I actually test my policies against certain controls like ISO or against PCI? >> Absolutely. Yes, you can. These are table stakes quite frankly. Regulatory compliance is critical, it's a must-do, and so we have to operate and provide this capability for our customers. So you can absolutely select you must adhere to like PCI or ISO 27001 in the Azure Portal, and then compare it against that level of compliance against a pre-canned set of policies. You can also print out a copy, and if needed, share it with your auditor. >> That's great. The ability to automatically share it with your auditor will certainly help a lot of our customers. >> Let's move on to another best practice, and let's talk about how we actually secure apps and data. So when it comes to protecting apps, there are differences in the shared responsibility models depending on whether you're on IaaS, or depending on whether you're on PaaS, or depending on whether you're on SaaS. So can you talk a little bit about the shared responsibility and the differences? >> This is so important to land. So Cloud is a shared responsibility, and depending on where you are on that journey, there is a different responsibility for you as the customer and a different responsibility for Microsoft. So it's really important that everybody understands that. For IaaS applications running in virtual machines, there is more of the burden on you as the customer to ensure that both that application and OS is secure. Now, as you move higher up the stack to Cloud-native PaaS, Microsoft will take more of the security responsibility at the OS level itself. For SaaS applications, we'll manage even more of it. >> Excellent. So while I'm writing those PaaS applications all right, what do I need to consider from a security perspective? >> So first start by following strong security best practices like the SDL or Security Development Lifecycle. We've led the path forward for many years in the industry in SDL, not just for our own services, but also in helping our customers deliver secure code. So it's really important to make sure that your developers are trained in SDL, and that you have a clear set of metrics, and that you're performing high-quality threat modeling consistently and often. You should also consider using the Azure Secure DevOps Toolkit, which is a collection of scripts, tools, and extensions with a focus, a heavy focus on automation and integration into native workflows to help your DevOps teams accomplish secure DevOps or shift left. >> So we know that developers are working at high pace also, a lot of demands on their time. How can we help people avoid security mistakes when they're actually building applications? >> Good question. Now, when it comes to building applications, one of the common mistakes that we see, unfortunately, is developers embedding secrets, like a connection string, directly within code, and then uploading that code to a public repository like GitHub. >> Wow. >> Yeah. It's not good. So attackers of course are continuously hunting for secrets, so it's really important that you don't store them in a public repository. We do have a tool called CredScan, which is constantly monitoring and scanning those public GitHub repos to identify any repository that may contain an Azure secret. If it finds an issue, we'll send an e-mail to the GitHub subscription owner from our CDOC, Microsoft Cyber Defense Operations Center. Now, we also recently integrated this tool into Visual Studio, so you can check your own code for issues while editing. >> So if I'm not going to share my secrets and keys and my code, what am I going to do with them? >> We have a solution for that. We actually engineered one. It's not just secrets and keys, but certificates as well. We call it Azure Key Vault. So you can store your secrets and keys in your Key Vault and then request them from your application at runtime. You can also manage your certificates and auto-renew them with Key Vault. Now, we learned this the hard way due to an Azure outage. Certificates expire, they're cumbersome, complex, and difficult to manage and maintain. So we engineered a solution called Key Vault to help store your secrets and your keys safely and securely and help you manage your certificates. >> That's fantastic. I started my security career as a PKI architect. >> I didn't know that. >> So I'm super familiar with all of the challenges and scalability issues of certificates. So automatically making sure they're renewing, hugely important. In addition though, Hayden, many of our customers in highly regulated industries tell us that they want direct access to the HSM or hardware security module. They actually don't want the management that Key Vault provide. So how do we accomplish that? >> Well, I'm glad you asked because it's a good question and it actually demonstrates that we're listening to our customers, and that we're continuously improving and continuously iterating. So we do offer direct access to HSMs or hardware security modules for customers who want to use their own code and manage secrets. >> That's fantastic. So we've talked about building secure apps. We've talked about how you manage your secrets, your certificates, your keys. But how do we actually protect the customers' data? >> Well, for data, you need to think about encryption and make sure you have a plan for the different types of data that are out there like disks, storage, and databases. Now in Azure, we encrypt storage and disks using industry-standard encryption. So you could use Microsoft-managed keys, and in other cases, you could bring your own key. >> How do we actually provide security for databases? >> Well, for databases, for SQL, there's transparent data encryption and the newer SQL, Always Encrypted, which actually works at the column level itself to ensure that data is inaccessible even to the database admins themselves. >> So an awful lot to consider when you're securing applications from dev practices to secret and key management to actually protecting the data and protecting database. Now, that all being said and we've talked about identity, we've talked about access management, we've talked a lot about lot of things, but let's move on to something that's incredibly important to all of our customers every day in this insumed breach environment. Let's talk about how we mitigate threats. We all know that defense in depth requires us to assume that breach. We know that Threat Protection helps us identify malicious activity, and we need to do this very quickly, right? Timeout detection is incredibly important. So what are some common best practices when it actually comes to mitigating threats? >> So we already talked about the importance of threat prevention. So we're going to shift in our operational security model to focus on threat detection and threat response. Azure Security Center has built in threat detection that supports many Azure resources, including virtual machines, databases, storage, and IoT. So you do want to make sure that you turn it on for all of your resource types, and not just your VMs. In other Clouds, we've seen storage as a primary target in numerous incidents. Now, our protection tools take advantage of Advanced Threat Analytics. So what that means is, if you assume breach as you said and we think about detection, you want to be able to detect when there is an escalation that's happening or lateral movement from compromised credentials. We also have six and a half trillion signals for operating one of the largest Clouds in the world, and we've connected these altogether with what we call the Microsoft Intelligent Security Graph. We have an API for that that you can call, your application developers can call so that they can use the power of the graph in the application that they're developing as well. Finally, what I'll say is that security admins and security operations, or SecAdmins and SecOps, can visualize those threat alerts from their Azure resources in a single pane with Azure Security Center. Now Coca-Cola Business Services North America tells us that using ASC is a great value add that really allows them to respond quickly to threats. >> So Azure Security Center provides threat protection for Azure, but what about security incident and event management or SIEM? Many of our customers have legacy on-premise SIEMs that have been great logging devices, but not fantastic analytic devices. So how do we make SIEMs more successful in the Cloud? >> So SIEMs have been an important security tool to help those security analysts consolidate logs from diverse signals and identify abnormalities. Existing tools were designed for on-premise architectures. So what we hear often from customers is that they're very expensive and difficult to maintain, and they're also overwhelmed with the sheer volume of signal and the low fidelity of those signals. So there's a lot of noise. We've developed an approach and we call it the next-generation SIEM. It's introduced as Azure Sentinel. >> Excellent. So talk to me a little about Microsoft Azure Sentinel. >> So we designed Azure Sentinel for first party. Now, I'm using it in an internal code name here, Ann. So basically our Security Operation Center needed a completely different model in order to be able to detect and respond to the sheer volume of signal that we see in the Cloud. So we needed to engineer a new solution. Now, we have this concept called first party equals third party, and basically what that means is, anytime we need to solve at Microsoft, what we want to do is engineer a solution so that our customers can take advantage of it. >> Makes sense. >> So the third party solution in this case is called Azure Sentinel. We're delighted to bring it to market, and it is the next generation SIEM born in the Cloud for the Cloud. >> It's been known I believe to reduce fatigue of alerts by about 90 percent as a Cloud native SIEM, right? >> Correct, correct. >> Excellent. So thank you very much, Hayden, for that information about Azure Sentinel. I'd like to invite AJ who's actually going to demo Microsoft Azure Sentinel for us. >> Thanks, Ann. I'm excited to show you Azure Sentinel today. Let's get started. Here is an executive dashboard for Azure Sentinel. It shows a snapshot of important security events in your organization and recent cases. Azure Sentinel can collect data from all your sources from on-premises to Azure itself and even other clouds. You do that with these built-in connectors. With few clicks, you can collect data from Azure Active Directory, or Office 365, and Azure Security Center. You can also connect to partner solutions like Check Point, Palo Alto, or Cisco, and many more. Finally, you can connect to industry-standard formats like Syslog and common event format. Once you collect data, you can draw contextual insights with custom dashboards. This example shows you custom dashboard for Office 365 and all the data-related insights based on Office 365 workloads. By the way, Office 365 data ingestion, you can connect your Office 365 data for free in Azure Sentinel. Let's check out the detection and analytics components now. Azure Sentinel already includes many detection rules for common attack scenarios, and you can create your own detection rules and queries. Azure Sentinel is built on the proven foundation of Azure Monitor and Log Analytics, which currently ingests more than 10 petabytes of data per day. Here is a simple threat detection query showing user signings in the last week. The machine learning models have identified anomalous pattern for us already. A query has been automatically generated, and now I can analyze users sign-in behavior more in detail. As you create proactive hunting queries, you can also integrate popularly used tools like Jupyter Notebooks to visualize and enrich your hunting experience as you see here. Ultimately, we want to understand and mitigate the threats quickly, which you do using cases in Azure Sentinel. >> We use AI to fuse together multiple low-fidelity signals into actionable alerts. Here you can see actionable alerts against detected threads. You can also manage the full life cycle of an event and its associated alerts. Let's drill into the Anomalous Login alert, This interactive graph makes it easier to understand and map the entire attack. You can see a compromised user account has already accessed multiple servers and it has also run suspicious script on those servers. The next step is to mitigate this threat. You can automate and orchestrate your response using playbooks. Now this particular playbook blocks the compromised user account using Azure Active Directory. First it creates a service ticket using the integration with service now and also blocks suspicious IP address on the firewall. There is a thriving community of security experts sharing best practices, queries, and dashboards on our Azure Sentinel GitHub. You can get started today with Azure Sentinel. It's right there in your Azure portal. Thank you and back to you, Ann. >> Thank you AJ. I really appreciate you showing the investigation experience that Jupyter Notebooks and the playbooks. I also have to say the response to Azure Sentinel has been fantastic since we announced at the RSA conference in March, more than 8,000 customers have already begun using it. But let's wrap up our conversation with Hayden and cover our final best-practice, Managing Networking. We're in a time of etwork so what best practices can your share for network security in the Cloud? >> You right. We've come a long way since the '90s when the Internet was born and we started from the land movement to the wind and yet we're here again with another transformation with the Cloud. So with the Cloud and a proliferation of devices in IoT the entire network landscape has changed and a new paradigm is needed. Once again, I strongly advise that you embrace a zero trust approach and that means trust no one, trust nothing, embrace location, and remember that identity plays a much larger role in this new software defined networking environment. >> So we know identity is very important. We know we're in a zero trust world. Sometimes a customer will ask me, should I just turn off my firewall then? >> Absolutely not. No. Zero trust doesn't mean that you should turn off your firewall. It's quite the opposite. In fact we have an Azure firewall and we have a Web Application Firewall and we recommend that you use both. You need to remember that operational security posture which is protect, detect, and respond. So appropriate controls need to be in place to protect the perimeter, detect adversarial activity, and then help you build that respond muscle as well. So setting up your firewall is very important. If you only protect with a firewall and then create a flat network, a flat network will make it much easier for attackers to move laterally. So don't do that. You want a micro-segmented network instead. Now, in Azure, we've created a micro segmented network with NSG's or Network Security Groups. In fact, NSG's are one of the top recommendations right behind MFA for Azure Security Center. So get familiar with concepts like virtual networking, subnet provisioning, and IP addressing. >> Thank you Hayden, and of course Azure does have built-in networking services. But we also give our customers flexibility. They have choice. You can find offerings from F5, Barracuda, Cisco, and Check Point in the Azure marketplace. With that I'd like to invite Ron Nahmias from Check Point to share more about the collaboration between Check Point in Azure. Thank you for joining us Ron. >> It's great to be here. For the last 25-years, Check Point has been securing customers On-premise and recently in the Cloud with their security needs. Our collaboration with Microsoft and the move to Cloud has also shifted us to focus on cybersecurity, with Cloud expertise mostly. >> So we're really excited to have you here because obviously our customers, like we have a 100,000 mutual customers, they're migrating to the Cloud, they want to maintain their security posture, their compliance or governance and we're partnering with Check Point to make that seamless and simple for them. So tell us more about how Check Point is actually helping those customers secure their Azure networks. >> [inaudible] , most of our customers are focusing on taking the existing security posture from the On-premise environment into the Cloud. That makes the whole transition much easier for the security team to support, understand, and maintain. We are looking at capabilities that are very unique to check when our customers have gotten used to such as east, west, and north, and south. Traffic would deep-packet inspection and threat prevention and so forth. In addition our acquisition of Dome9 late last year gave us the ability to offer our customers automation of understanding of their configuration, their roles, and how everything correlates within a Cloud environment that is significantly different than what they're used to in the On-premise environment. >> That can also help customers in emerging things like Azure, Kubernetes Services or server-less environments? >> Yeah, the emerging services actually creates a new challenge for customers where they come to look at Kubernetes which is something they didn't know, containers in Azure functions, all new compute workloads that customers are looking to us to help them secure as they are adopting into transition to the Cloud. >> Excellent. Well, yeah it's a valuable partnership. We're obviously helping our customers make the transition to Cloud much easier. >> That's right. The security personnel that we work with are being challenged with a whole new task or list of tasks that they are not used too and their ability to take the known trust at Check Point environment and extend it to the Cloud seamlessly while maintaining the exact same security posture On-premise and in the Cloud in this hybrid environment makes it very easy for them to adopt. >> So earlier AJ did a demo of Microsoft Azure Sentinel, can you talk a little bit about how Check Point integrates with Azure Sentinel? >> So we were launch partners for Sentinel and we built a connector that allows Check Point and Sentinel to exchange data and our customers who are looking at Sentinel can consume input from Check Point as well as the rest of the sources and get a bigger better picture. >> So what are your plans? What's coming up from Check Point for our Azure customers? >> The first thing we hear from our customers is the need to simplify. So we're building tools that will allow customers to assess the security posture in the Cloud and deploy security tools and policies automatically. This is going to be wizard based and it makes it really simple. This is one of the things that were here security people very concerned about. The second thing we're doing again very closely with Azure is working on SDY and technologies and security and being able to provide branch offices, network security as a service and other new features that are not yet announced together to our joint customers who are looking forward to adopting those. >> Ron, thank you so much for being here. Obviously, the partnership is critical to the security of our customers. As I mentioned 100,000 mutual customers, a lot of them moving to the Cloud, we want to make it simple, we want to make it seamless for customers to protect their security, their compliance or governance with joint Azure and Check Points solutions. >> Thank you Ann for having us. It's a great opportunity to be talking about the things we do together and we're looking forward to expanding the relationship and doing more for our customers and continuing to work with you, your team, and all our friends here at Microsoft including you Hayden. >> Thank you Ron. >> Thank you again Ron. Hayden, thank you so much. It's been a great session. I really appreciate you joining us today. >> It's delightful being here. Thanks Ann. >> I want to thank all of you. It's been a long session. I really appreciate you joining us today. I know we've covered a lot of material but candidly, we've actually only scratched the surface. So I would ask you to check out our new on-demand content covering deeper information on Azure Sentinel, Azure Security Center, and more coming up on our Microsoft Azure YouTube channel. We also want you to go to our Azure Security expert series page to learn more and connect with our tech community and of course we want your feedback. There is Azure Security Team, Ask Us Anything Twitter sessions scheduled for Monday June 24th, at 10 AM Pacific Standard Time. In closing, I want to give a shout out to all of you who work hard every single day to protect every person and every organization on our planet so they can achieve more. Thank you so much for tuning in. [MUSIC]
Info
Channel: Microsoft Azure
Views: 44,976
Rating: 4.8413363 out of 5
Keywords:
Id: pYHla2CQhM4
Channel Id: undefined
Length: 84min 12sec (5052 seconds)
Published: Wed Jun 19 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.